Microsoft New Critical Exchange Bug Exploited as Zero-Day

                          Microsoft New Critical Exchange Bug Exploited as Zero-Day

Summary: Microsoft, in a security advisory, has warned about a new zero-day vulnerability in Exchange Server 2016 and 2019. In this post, we will discuss this vulnerability in detail and see how fix this vulnerability, and protect the Exchange Servers. We will also mention an Exchange recovery tool that can help recover data from compromised Exchange Servers or corrupted databases.  

Microsoft has identified a zero-day vulnerability in Exchange Server, which attackers are already exploiting. At the time of releasing the February’s Patch Tuesday update, Microsoft has internally tracked the CVE-2024-21410 vulnerability that impacts the elevation privilege on the vulnerable Exchange Servers. This zero-day vulnerability primarily impacts Exchange Server 2016 and 2019. The vulnerability allows the threat actors to force network devices, including domain controllers and servers, for authenticating against a New Technology LAN Manager (NTLM) relay server, controlled by them, to imitate the targeted devices and elevate the privileges. NTLM protocol is normally used for authentication, integrity, and confidentiality of the Active Directory/Exchange Server mailboxes.

By exploiting the vulnerability, the attackers target the NTLM clients, such as Outlook, to gain access to the victim’s credentials. These leaked credentials are then used to gain privileges as the victim and to perform operation on the Exchange Server on victim’s behalf. This means that a successful attacker can impersonate as the user using the Net-NTLMv2 hash. The attackers can get access through a user which has admin access to the Exchange Server and modify the configuration or leak the data. If data is compromised, the impacted organizations can also face legal actions for not protecting the services and data of the clients.

How to Mitigate or Protect against this New Vulnerability?

You need to enable the NTLM credentials Relay Protections, also called Extended Protection for Authentication (EPA), to address the CVE-2024-21410 vulnerability. The Extended Protection (EP) is a protocol which is used to strengthen the Windows Server authentication functionality, thus mitigating such attacks.

For Exchange Server 2019, you can install the 2024 H1 Cumulative Update or CU 14, released by Microsoft on Patch Tuesday (on February 13, 2024). In this update, Microsoft has announced that the Exchange Extended Protection Management (EP) is automatically enabled in the CU 14 and onwards.

However, in previous Cumulative Updates of Exchange Server 2019, the New Technology LAN Manager (NTLM) credentials Relay Protections were not enabled by default. So, you need to install the latest Cumulative Update (CU) 14 as soon as possible to mitigate the vulnerability.

For Exchange Server 2016, first install the latest Cumulative Update (CU) 23 and then download the Exchange Extended Protection Management PowerShell script. This will automatically set up and configure the Extended Protection (EP) option on Exchange Server.

Check the Exchange Server Health

To confirm that the Exchange Server is protected, after installing the latest Cumulative Update (CU), you must run the Exchange Server Health Checker script. Downloaded the Health Checker script and run the script by using the below cmdlet:

 

 

Post a Comment

0 Comments